rkervella
commented
4 years ago Haven't looked at Watson yet, but it's probably due to the fact that the assembly entrypoint expects a string[] args as first parameter (even if not used). We're re-using the HostingCLR_Inject code from metasploit-execute-assembly, and as stated in their README:
ARGUMENTS Command line arguments. The signature of the Main method must match with the parameters that have been set in the module, for example: If the property ARGUMENTS is set to "antani sblinda destra" the main method should be "static void main (string [] args)" If the property ARGUMENTS is set to "" the main method should be "static void main ()"
Adding a "dummy" argument on the sliver command line usually does the trick:
sliver (INDIRECT_POSSIBLE) > execute-assembly -t 100 tools/bin/watson.exe blah
Let me know if that works for you.
delta-plus
Description Execute-assembly sometimes fails with "Failed pMethodInfo->Invoke_3 w/hr 0x8002000e". The hex address doesn't seem to change. So far, this seems to affect Rastamouse's Watson and Ghostpack's SharpUp, both .NET 3.5 and 4.0 versions. Interestingly, Seatbelt works perfectly. For reference, manually downloading and executing the assemblies from a shell also worked fine.
To Reproduce Like so:
Expected behavior Normal output should be returned (as with Seatbelt).
Desktop
Additional context Tested on Windows 10 home lab machine over local WiFi and over the net with VPN on HackTheBox's current Windows servers. Used the Sliver v1.0.6 compiled from source.